• United States




Vibram suffered five finger data breach

Aug 25, 20142 mins
SecuritySupply Chain Management Software

I’m a little surprised at myself. I did some research about this data breach when it was first posted at the beginning of August but, somehow I managed to neglect to write it up.

My apologies.

It appears that from June 6th until July 7th that the hosting provider for Vibram was the victim of a targeted attack. Seems that the hosting provider’s security failed Vibram allowing the attackers to help them selves to data. A five finger discount, if you’ll pardon the pun. 

As a result, your Vibram customer data was potentially compromised if you made a purchase on their website during that time frame.  From customer notification:

Vibram USA Inc. contracts with a third-party web hosting provider to manage its website: Our records show that you made a purchase from this website during the period of June 6 – July 7, 2014. We have been informed that this website was the victim of a targeted hacking attack potentially causing your credit card number to be compromised. 

The root of the problem was that the web server had been compromised and malicious code installed by miscreants. Vibram took the step of dumping their hosting provider for a new one as well as implementing stricter security controls. 

While it is unfortunate that their site was breached, coming close on the heels of losing a large lawsuit, I am happy to see that they took some steps to better secure their site. Lesson to be learned here is that when you have other players introduced into your digital supply chain that you take the time to ensure that they can be counted on as your trusted partner.

Don’t be afraid to ask your supply chain partners the tough questions.

(Image used under CC from HealthGauge)


Dave Lewis has over two decades of industry experience. He has extensive experience in IT security operations and management. Currently, Dave is a Global Security Advocate for Akamai Technologies. He is the founder of the security site Liquidmatrix Security Digest and co-host of the Liquidmatrix podcast.

The opinions expressed in this blog are those of Dave Lewis and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author